More attacks – Hilary Kneber and meqashoppecom – Part II

A few days ago we reported a large scale attack affecting WordPress sites at hosted on 123-reg servers. They were using the domains meqashopperinfo.com and meqashopperonline.ccom to spread the malware. You can read more about it here.

Today, we’re seeing a small variation of this attack. We’re continuing our research, but it seems the attack has spread to another host, and maybe more. The attackers are using meqashoppercom.com to spread the malware and the following javascript gets added to the affected sites (result from our scanner):

Malware is getting loaded from:

http://meqashoppercom.com/kb.php
http://77.78.240.233/index.php?xxx

All the sites we’ve seen so far have the following code added to all PHP files:

Note: The domain meqashoppercom.com (77.78.240.233, 77.78.239.53) IS NOT blacklisted, so it has the potential to infect a very large number of visitors, specifically visitors with outdated AV signatures and definitions.

What’s interesting is that the domain is registered by the same people responsible for the previous attacks at Godaddy, Bluehost, etc: Hillary Kneber: